Overview of Networks and Security
Connections Between Client Devices and SGD Servers
Connections Between SGD Servers and Application Servers
UNIX or Linux System Application Servers
Configuring External DNS Names
How to Configure the External DNS Names of an SGD Server
Changing the Peer DNS Name of an SGD Server
How to Change the Peer DNS Name of an SGD Server
Configuring Client Proxy Settings
Determining Proxy Settings From a Browser
Specifying Proxy Settings in the Client Profile
Using Proxy Server Automatic Configuration Scripts
Configuring Server-Side Proxy Servers
Firewalls Between Client Devices and SGD Servers
Firewalls Between SGD Servers and Application Servers
Secure Connections to SGD Servers
Supported Certificate Authorities
Using an SSL Certificate Obtained for Another Product
How to Generate a Certificate Signing Request
How to Replace a Server SSL Certificate
Enabling Secure Connections (Automatic Configuration)
How to Enable Secure Connections (Automatic Configuration)
Enabling Secure Connections (Manual Configuration)
How to Install a Server SSL Certificate
How to Install the CA Certificate for an Unsupported CA
How to Install a CA Certificate Chain
How to Configure Firewall Forwarding
How to Enable SGD Security Services for an SGD Server
Secure Connections and Security Warnings
Browser and Java Plugin Tool Security Warnings
SGD Server SSL Certificate Security Warnings
Untrusted Initial Connection Warnings
Using a Preconfigured hostsvisited File
Avoiding Issuer Unknown Security Warnings
Tuning Secure Connections to SGD Servers
How to Tune SSL Daemon Processes
How to Change SSL Daemon Log Filters
How to Change SSL Daemon Maximum Restart Attempts
Using External SSL Accelerators
How to Enable External SSL Accelerator Support
Selecting a Cipher Suite for Secure Connections
How to Change the Cipher Suite for Secure Client Connections
How to Enable Connection Definition Processing
How to Configure Connection Definitions
3. Publishing Applications to Users
7. SGD Servers, Arrays, and Load Balancing
B. Secure Global Desktop Server Settings
When using SGD, client devices never connect directly to application servers. Instead they connect to SGD using Hypertext Transfer Protocol (HTTP) or HTTP over Secure Sockets Layer (HTTPS) and the SGD Adaptive Internet Protocol (AIP). SGD then connects to the application servers on the user’s behalf.
The following are the main network connections involved when using SGD:
Connections between client devices and SGD servers
Connections between SGD servers and application servers
Connections between SGD servers in an array
In a default SGD installation, most network connections are not secure. The following sections describe how you can secure these network connections.
Client devices makes the following connections to SGD servers:
HTTP connections. These are the connections to the SGD web server, used for SGD web services, authentication to SGD, and to display the webtop.
AIP connections. These are the connections between the SGD Client and an SGD server, used for displaying applications.
To secure these connections, configure the SGD web server to be a secure
(HTTPS) web server, and enable SGD security services. See Secure Connections to SGD Servers for details.
The SGD Secure Gateway can be used to provide an increased level of security between client devices and SGD servers. When you use the Gateway, client devices do connect directly to SGD. Instructions on how to install, configure, and use the SGD Gateway are included in the Oracle Secure Global Desktop 4.6 Gateway Administration Guide.
The connections between SGD servers and application servers are used to start applications on the application server, and to send and receive data from the application, such as key presses and display updates.
The level of security between SGD and your application servers depends on the types of application server and the protocols they use.
When connecting using the Telnet protocol or the rexec command, all communication and passwords are transmitted unencrypted.
For secure connections to UNIX or Linux system application servers, use Secure Shell
(SSH). SSH encrypts all communications between SGD hosts and encrypts passwords before they are
transmitted. See Using SSH.
By default, SGD secures X displays using X authorization to prevent users from accessing X displays they are not authorized to access.
Windows applications use the Microsoft Remote Desktop (RDP) protocol. This means that all communication is encrypted, and connections to Microsoft Windows application servers are secure.
The level of security depends on the type of web server used to host the web application, as follows:
HTTP web servers – All communication is unencrypted
HTTPS web server – All communication is encrypted
For secure connections to web application servers, use HTTPS web servers.
Connections between SGD servers are used to share static and dynamic data across
the array. See Replicating Data Across the Array for details of the information that is communicated on
these connections. In a standard installation, the data transmitted between the SGD servers in
an array is not encrypted. See
Secure Intra-Array Communication for details on how to secure
these connections.